Capital One has been hit with a class action lawsuit over the breach exposing data on 106 million consumers in the U.S. and Canada.
The action, filed by one Duwayne Baird in the U.S. District Court for the Eastern District of Virginia, alleges that Capital One failed to “exercise reasonable care in securing and safeguarding personal information.”
In addition, the financial giant “failed to detect the breach for approximately three months,” the complaint charges.
The alleged data thief, Paige A. Thompson, posted the purloined data on GitHub on April 21.
The company was alerted to the problem on July 17, and determined that the breach had occurred on July 19. It announced this publicly on Monday.
The class action complaint claims that the plaintiff made purchases and paid credit card fees that he would not have paid had he known about the data breach.
The suit, filed by the law firm Murphy, Falcon & Murphy. asks damages and other relief.
This may be only the first of possible legal actions.
A criminal action was filed against Thompson on Monday with the U.S. District Court for the western district of Washington, alleging computer fraud and abuse. The complaint, made up of an affidavit filed by Joel Martini, special agent of the FBI, states that Thompson is a systems engineer who was probed for “intruding into server rented or contacted by…Capital One from a company that provides cloud computing services.”
Martini continues that Thompson worked for that cloud provider in 2015-16.
Thompson is being held in jail pending a Thursday hearing.
The incursion affects 100 million consumers in the U.S. and 6 million in Canada. The exposed data, mostly on credit card applicants, includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Meanwhile, media reports are speculating whether Thompson, who used the handle “erratic,” also took data from other companies.
According to USA Today, Thompson tweeted that she planned to “check into the mental hospital for an indefinite period of time,” for reasons that seemed unclear, and that she had posted comments about Capitol One in social media. The report also states that Thompson had worked for Amazon.
On a more positive note, at least one commentator thinks Capitol One has handled the episode well so far.
The breach was “reported via a responsible disclosure channel – this highlights the need for companies to have a mechanism or route for responsible disclosure on their website no matter what their line of business is,” says Alastair Pooley, CIO at Snow Software.
Pooley adds that “the incident response within Capital One was extremely rapid with a 2 day turnaround from the report to acknowledgement of an issue and a report to the authorities.”
Pooley concludes, “Companies need to have an incident response process which ensures they can react swiftly to an issue and take the appropriate actions.”
Finally, Pooley notes that “security in the cloud requires expertise just as it does for systems in a data center. Moving to a cloud service typically leads to a re-evaluation of how the application is built and a modern approach to security.”